2
   

Why we can't notify specific members about the short password problem

 
 
Reply Thu 14 Aug, 2008 09:17 pm
On the old site you could have a password shorter than 6 characters. Here you can't. This is causing problems for those who had shorter passwords, they need to reset them to log in.

Here's why we can't be proactive about this: we have no idea how long your password is. To protect your security, we never store your real password. We store an encrypted hash of it. So your passwords turn into a string of random-looking characters. That way your password here is safer if you use it for other things, even the system admins don't know what it is.

The downside in this case is that we don't know what specific users need to change their passwords.
 
Craven de Kere
 
  3  
Reply Thu 14 Aug, 2008 09:18 pm
@Craven de Kere,
Crap. Posted this as a question. Rolling Eyes
0 Replies
 
Rockhead
 
  1  
Reply Thu 14 Aug, 2008 09:19 pm
@Craven de Kere,
Anyone using a password less than 7 letters (and numbers, too) is NAIVE...
0 Replies
 
Butrflynet
 
  1  
Reply Thu 14 Aug, 2008 09:38 pm
@Craven de Kere,
What about having the system temporarily add Xs as placeholders at the end of old passwords that are less than 6 characters? That could then lead them to the My Account Page with instructions for them to change their password to one of 6 characters or more.

That would work even if all you as the administrator sees is hash marks.
Example: ####xx or ###xxx, etc.

Then we have something to tell people to try when they make contact with you about their old password not working. Tell them to use their old password characters plus the number of x's it takes to equal 6 characters.
Borat Sister
 
  1  
Reply Thu 14 Aug, 2008 09:50 pm
@Craven de Kere,
My problem is that when I ask the site to send me the means to reset my password to my dlowan email, it is not doing so.


I am about to try again.

It worked with this account, though, and I was able to reset the password.
Craven de Kere
 
  1  
Reply Thu 14 Aug, 2008 09:56 pm
@Butrflynet,
Quote:
What about having the system temporarily add Xs as placeholders at the end of old passwords that are less than 6 characters?


I was trying (and apparently failed) to explain that we have no way of knowing who's password is less than 6. Here's some examples from Wikipedia ( http://en.wikipedia.org/wiki/MD5#MD5_hashes ):

MD5("The quick brown fox jumps over the lazy dog")
= 9e107d9d372bb6826bd81d3542a419d6

MD5("")
= d41d8cd98f00b204e9800998ecf8427e

All we have stored is that second string of numbers and letters. As you can see, a sentence generates the same length hash as no password at all.
0 Replies
 
Craven de Kere
 
  1  
Reply Thu 14 Aug, 2008 09:58 pm
@Borat Sister,
You said to me in an email that you got a message bu that it didn't work for you. But I think you used it wrong. If you get the message just click on the link. Then you should be logged in and you will be able to change your password.

In any case, I've been neglecting my email so if you can send a ticket to the help desk it will remind me when I go in there to solve account lockouts.
Borat Sister
 
  1  
Reply Thu 14 Aug, 2008 10:08 pm
@Craven de Kere,
Previously I used it wrong...then "got it" and was able to log into Beta.

Now....I don't get an email from the new site at all.

I have tried 4 times.

As Borat Sister, requesting the same thing, to reset password, I was emailed immediately and was then able to change the password and log in.

But I will certainly send a ticket to the help desk.
Craven de Kere
 
  1  
Reply Thu 14 Aug, 2008 10:09 pm
@Borat Sister,
Is it filtering the email on one of the addresses (if they are both on the same isp that would be less likely)?
Borat Sister
 
  1  
Reply Thu 14 Aug, 2008 10:13 pm
@Craven de Kere,
Well, I have not changed any settings, and the email to do the same thing for logging in to the beta site came through ok.

My primary email (dlowan's) is via my ISP.

Borat Sister's email address is a Gmail one.


Ah....not sure if this is relevant or not, but the Help Desk acknowledgement came through fine to my dlowan email.
Craven de Kere
 
  1  
Reply Thu 14 Aug, 2008 10:18 pm
@Borat Sister,
Your ISP might be filtering it. We'll figure it out later.
Borat Sister
 
  1  
Reply Thu 14 Aug, 2008 10:18 pm
@Craven de Kere,
Erm...ok...what can I do about that?
Edit:
Strike that...later is fine.


Thank you.
0 Replies
 
DrewDad
 
  3  
Reply Fri 15 Aug, 2008 12:28 am
@Butrflynet,
A "hash" is a one-way function.

You can create the hash from the original text, but you cannot re-create the original text from the hash.

Also, a good hashing algorithm (and MD5 is considered "good" by the cryptography community), always results in the same length hash, no matter what the input text is. A hash from a one-character string is (theoretically) as pseudo-random as a hash from a very long string.

All of which is a long-winded way of saying "no."
0 Replies
 
 

Related Topics

How to use the new able2know - Discussion by Craven de Kere
New A2K feature requests. - Discussion by DrewDad
I'm the developer - Discussion by Nick Ashley
JIM NABORS WAS GOY? - Question by farmerman
A2K censors tags? - Discussion by hingehead
New A2K Bugs - Discussion by sozobe
New A2K annoyances - Discussion by sozobe
The a2k world is changing 3: about voting - Discussion by Craven de Kere
LOST & MISPLACED A2K people. - Discussion by msolga
Welcome to the 'New' My Posts - Discussion by Nick Ashley
The "I get folksonomy" club - Discussion by Robert Gentel
 
  1. Forums
  2. » Why we can't notify specific members about the short password problem
Copyright © 2021 MadLab, LLC :: Terms of Service :: Privacy Policy :: Page generated in 0.03 seconds on 06/20/2021 at 02:13:39